«

[SteveB]

I have a problem that is best described by viewing a diagram, which is located here.


Basically, we have a working site-site vpn tunnel to a vendor that allows a few machines on our private WAN to access a vendor's ftp server on the other side of the tunnel. The tunnel itself works fine if I am connecting to the remote ftp host from a host on the same subnet as the inside interface on the ASA 5520. The ACLs for the vpn on both firewalls allow traffic from 192.168.3.0 and 150.1.1.237 to pass.

On our WAN subnet, I have a machine at 150.1.1.237 that needs to connect to the vendor ftp server at the other side of the tunnel. On the router on that subnet, I added a route so that if 150.1.1.237 wants to get to 192.168.102.186, send the traffic to 192.168.100.1. The router at 192.168.100.1 has a route to 192.168.102.186 that sends it to 192.168.3.254. The problem is, the packet doesn't get there. If I do a traceroute from 150.1.1.237, the packet goes to the default gateway (150.1.1.1) and then to the fiber connected interface on the other subnet. It dies at 192.168.100.1.

Am I missing something in the VPN configuration to allow the host at 150.1.1.237 to access the tunnel? Any host of 192.168.3.0 can connect fine but 150.1.1.237 cannot. I just wasn't sure if it was a vpn issue or a router issue.
The ACl in the ASA looks like this:
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.186
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.189
access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.190
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.186
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.189
access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.190

I also have an access list for Nat 0 that looks like this:
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list nonat extended permit ip 150.1.1.0 255.255.255.0 192.168.102.0 255.255.255.0


The vendor has an ASA and they have mirrored my access lists. Again, I can get to the 192.168.102.186 host from the 192.168.3.0 network, but the host at 150.1.1.237 in the diagram cannot. The tracert dies at 192.168.100.1 even though I have a route in there (ip route 192.168.102.186 255.255.255.255 192.168.3.254) Everything else in our WAN works fine. People on 150 have always been able to browse the net and everything through the ASA. I just can't get that traffic destined for 192.168.102.186 to go out over the tunnel from that network.

Any ideas on what I could be missing?